Apple responds to XcodeGhost scare with data for devs, public

updated 05:20 pm EDT, Tue September 22, 2015

by MacNN Staff

Chinese malware was not malicious, but points out new vector of attack

Apple has now responded publicly to the XcodeGhost malware scare, explaining in a page on its Chinese website addressed to customers that even if they used apps affected by the issue, no personally-identifiable information was gathered. The company removed any affected apps, and explained the cause (iOS programs were built using compromised Chinese versions of Xcode downloaded from other sources), while offering developers a method of ensuring that their own installations of Xcode were valid.

According to Apple, the root of the problem stems from would-be malicious copies of Xcode betas that were downloaded from third-party servers. However, the company says that there is no evidence that XcodeGhost itself nor any of the apps created with it have been used for anything malicious. The code, says Apple, was only capable of sending out some general information about apps and system configuration information, with nothing that could be associated with a particular user or group of users having been at risk.

"We're not aware of personally identifiable customer data being impacted, and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords," the page on Apple's website dealing with the issue notes. "We have removed the apps from the App Store that we know have been created with this counterfeit software, and are blocking submissions of new apps that contain this malware from entering the App Store."

"We're working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy," the page goes on to say. "A list of the top 25 most popular apps impacted will be listed soon, so users can easily verify if they have downloaded the latest versions of these apps. After the top 25 impacted apps, the number of impacted users drops significantly. Customers will be receiving more information letting them know if they've downloaded an app/apps that could have been compromised. Once a developer updates their app, that will fix the issue on the user's device once they apply that update."

Separately, the company has contacted developers with new instructions for ensuring that their own installation of Xcode is unaltered with the XcodeGhost code: "When downloading Xcode from the Mac App Store, or Apple's website, so long as Gatekeeper is enabled, OS X automatically checks the app's code signature and validates it against Apple's code," the company wrote in an email to developers.

"To verify the identity of your copy of Xcode, run the following command in Terminal on a system with Gatekeeper enabled: spctl --assess --verbose /Applications/Xcode.app," where "Applications" is the directory where Xcode is normally installed. According to Apple, the tool should (after up to several minutes) return the following result for legitimate copies of Xcode from the Mac App Store: "/Applications/Xcode.app: accepted" followed by "source=Mac App Store," or in the case of downloads from the Apple Developer website, the source may also read simply "Apple" or "Apple System."

"Any result other than 'accepted,' or any source other than 'Mac App Store', 'Apple System,' or 'Apple,' indicates that the application signature is not valid for Xcode. You should download a clean copy of Xcode and recompile your apps before submitting them for review," the instructions say. Although harmless, the malware affected many widely-used apps, and embarrassed developers such as Rovio, whose Angry Birds 2 was among the programs affected. Users continue to be at no risk, but should update to the corrected versions at their first convenience.

The malware exposed a new vector of attack that Apple will need to guard against going forward: altered copies of the Xcode development tool that could surreptitiously inject malicious code into applications created by legitimate and unaware developers. Due to this recent scare, Apple will be testing apps going forward to ensure that they were created on legal and directly-downloaded copies of Xcode, which should eliminate the risk of this particular vector being used going forward.

The modified copies of Xcode, which have since been taken down from Baidu's cloud storage servers, would only have worked if developers had disabled Apple's Gatekeeper feature, which is specifically designed to prevent such attacks by checking the authenticity of the app's code. Chinese developers sometimes resort to downloading Xcode from alternative sources because Apple's own servers there can sometimes be difficult to access, or slow to deliver.

About 40 apps are thus far known to have been affected, though most are popular Chinese apps such as WeChat and and ridesharing service Didi Kuaidi, but the total could reach into the hundreds. Applications identified as including the XcodeGhost package are Angry Birds 2, CamCard, CamScanner, Card Safe, China Unicom Mobile Office, CITIC Bank move card space, Didi Chuxing, Eyes Wide, Flush, Freedom Battle, High German map, Himalayan, Hot stock market, I called MT, I called MT 2, IFlyTek input, Jane book, Lazy weekend, Lifesmart, Mara Mara, Marital bed, Medicine to force, Micro Channel, Microblogging camera, NetEase, OPlayer, Pocket billing, Poor tour, Quick asked the doctor, Railway 12306, SegmentFault, Stocks open class, Telephone attribution assistant, The driver drops, The Kitchen, Three new board, and Watercress reading, though most these have since been updated.

TAGS

0 Comments

Login Here

Please note that it takes a couple of minutes for new comments to be visible in this area.

&nbsp

Now AAPL Stock: The symbol you provided ("AAPL") doesn't appear to be registered

Cirrus creates Lightning-headphone dev kit

Apple supplier Cirrus Logic has introduced a MFi-compliant new development kit for companies interested in using Cirrus' chips to create Lightning-based headphones, which -- regardless of whether rumors about Apple dropping the analog headphone jack in its iPhone this fall -- can offer advantages to music-loving iOS device users. The kit mentions some of the advantages of an all-digital headset or headphone connector, including higher-bitrate support, a more customizable experience, and support for power and data transfer into headphone hardware. Several companies already make Lightning headphones, and Apple has supported the concept since June 2014. http://bit.ly/29giiZj

Share

Developer628d

Apple Store app offers Procreate Pocket

The Apple Store app for iPhone, which periodically rewards users with free app gifts, is now offering the iPhone "Pocket" version of drawing app Procreate for those who have the free Apple Store app until July 28. Users who have redeemed the offer by navigating to the "Stores" tab of the app and swiping past the "iPhone Upgrade Program" banner to the "Procreate" banner have noted that only the limited Pocket (iPhone) version of the app is available free, even if the Apple Store app is installed and the offer redeemed on an iPad. The Pocket version currently sells for $3 on the iOS App Store. [32.4MB]

Share

628d

Porsche adds CarPlay to 2017 Panamera

Porsche has added a fifth model of vehicle to its CarPlay-supported lineup, announcing that the 2017 Panamera -- which will arrive in the US in January -- will include Apple's infotainment technology, and be seen on a giant 12.3-inch touchscreen as part of an all-new Porsche Communication Management system. The luxury sedan starts at $99,900 for the 4S model, and scales up to the Panamera Turbo, which sells for $146,900. Other vehicles that currently support CarPlay include the 2016 911 and the 2017 models of Macan, 718 Boxster, and 718 Cayman. The company did not mention support for Google's corresponding Android Auto in its announcement. http://bit.ly/295ZQ94

Share

Industry628d

Apple employees testing wheelchair features

New features included in the forthcoming watchOS 3 are being tested by Apple retail store employees, including a new activity-tracking feature that has been designed with wheelchair users in mind. The move is slightly unusual in that, while retail employees have previously been used to test pre-release versions of OS X and iOS, this marks the first time they've been included in the otherwise developer-only watchOS betas. The company is said to have gone to great lengths to modify the activity tracker for wheelchair users, including changing the "time to stand" notification to "time to roll" and including two wheelchair-centric workout apps. http://bit.ly/2955JDa

Share

Troubleshooting628d

SanDisk reveals two 256GB microSDXC cards

SanDisk has introduced two 256GB microSDXC cards. Arriving in August for $150, the Ultra microSDXC UHS-I Premium Edition card offers transfer speeds of up to 95MB/s for reading data. The Extreme microSDXC UHS-I card can read at a fast 100MB/s and write at up to 90MB/s, and will be shipping sometime in the fourth quarter for $200. http://bit.ly/294Q1If

Share

Upgrades/storage628d

Apple's third-quarter results due July 26

Apple has advised it will be issuing its third-quarter results on July 26, with a conference call to answer investor and analyst queries about the earnings set to take place later that day. The stream of the call will go live at 2pm PT (5pm ET) via Apple's investor site, with the results themselves expected to be released roughly 30 minutes before the call commences. Apple's guidance for the quarter put revenue at between $41 billion and $43 billion. http://apple.co/1oi1Pbm

Share

Investor629d

Twitter stickers slowly roll out to users

Twitter has introduced "stickers," allowing users to add extra graphical elements to their photos before uploading them to the micro-blogging service. A library of hundreds of accessories, props, and emoji will be available to use as stickers, which can be resized, rotated, and placed anywhere on the photograph. Images with stickers will also become searchable with viewers able to select a sticker to see how others use the same graphic in their own posts. Twitter advises stickers will be rolling out to users over the next few weeks, and will work on both the mobile apps and through the browser. http://bit.ly/29bbwUE